@sskaje

Tag: vyos

  • VyOS-1x build script on VyOS

    Put vyos/vyos-1x code to /config/build/vyos-1x

    Script as /config/build/build.sh

    #!/bin/sh


cat << 'EOF' > /etc/apt/sources.list.d/debian.sources
Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF


podman pull docker.io/vyos/vyos-build:current

mkdir -p /config/build
cd /config/build

rm -f /config/build/vyos-1x-* /config/build/vyos-1x_*

chown -R vyos: /config/build
chmod 777 /config/build

podman run --rm -it --privileged --network host -v /config/build:/vyos -w /vyos/vyos-1x vyos/vyos-build:current dpkg-buildpackage -uc -us -tc -b


dpkg -i vyos-1x_1.5dev0-*_amd64.deb

systemctl restart vyos-configd

chown -R vyos: /config/build
chmod 777 /config/build

  • VyOS Debug PBR & NAT

    As ROOT.

    Keyword: nftrace

    Edit VyOS generated NFT files: /run/nftables*.

    Enable nftrace on full chain 

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        meta nftrace set 1
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }
}

    Make sure nftrace is enabled before other rules!

    Enable nftrace on SINGLE RULE.

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }

    chain VYOS_PBR_UD_MY_PBR_RULES {
        ip saddr  @A_SRC_HIJACK_MITMPROXY counter meta mark set 2147483628 meta nftrace set 1 return comment "ipv4-route-ROUTE_CLASH_TUN-50"
    }
}

    Test & Apply

    # Test
nft --check --file /run/nftables_policy.conf
# Apply
nft --file /run/nftables_policy.conf

    Monitor

    nft monitor trace

    Example Result

    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_conntrack PREROUTING_HELPER packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip raw VYOS_TCP_MSS packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 inet mangle FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip protocol udp ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_FORWARD_filter packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_ZONE_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip nat VYOS_PRE_SNAT_HOOK packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001

  • VyOS 实现LAN 流量劫持

    以前 EdgeRouter 时代,使用的是 DNAT + redsocks + charles/mitmproxy 实现的流量劫持和分析,比较麻烦的点是,redsocks的配置文件需要维护,服务需要重启,每次系统升级(虽然好多年没升级了)都需要重装 redsock,所以当时搞了一套初始化脚本,脱离config tree自动安装deb,自动加载配置,自动symlink配置文件。

    换到 VyOS 之后,本来也想搞这一套,被研发打回来了,他们不接受过分灵活的config tree,让我用 container。

    新方案用 hev-socks5-tunnel,直接把流量转给另外一台主机上的mitmproxy。charles proxy也可以用同样的方法配置

    开 mitmweb,方便web看数据

    mitmweb --web-host 0.0.0.0 --mode socks5 --listen-port 8889

    下列命令创建container,配置PBR

    set container name tun2socks allow-host-networks
set container name tun2socks capability 'net-admin'
set container name tun2socks device dev-net-tun destination '/dev/net/tun'
set container name tun2socks device dev-net-tun source '/dev/net/tun'
set container name tun2socks environment CONFIG_ROUTES value '0'
set container name tun2socks environment IPV4 value '198.51.100.1'
set container name tun2socks environment LOG_LEVEL value 'debug'
set container name tun2socks environment MTU value '8500'
set container name tun2socks environment SOCKS5_ADDR value '192.168.11.19'
set container name tun2socks environment SOCKS5_PORT value '8889'
set container name tun2socks environment SOCKS5_UDP_MODE value 'udp'
set container name tun2socks environment TUN value 'tun9'
set container name tun2socks image 'ghcr.io/heiher/hev-socks5-tunnel:latest'


set protocols static table 19 description 'route to mitmproxy'
set protocols static table 19 route 0.0.0.0/0 interface tun9

set policy route PBR   interface 'eth2'
set policy route PBR rule 50 set table '19'
set policy route PBR rule 50 source group address-group 'SRC_HIJACK_MITMPROXY'


# firewall rules ...

    防火墙规则需要自己搞定,按需NAT。

    nftables 不支持 ipset 那样动态操作成员了,只能在config tree里维护。

    这个方法和以前一样,只能去分析 TCP 协议。如果有 UDP 的需求可以尝试 WireGuard 的方式。

  • VyOS Debug DHCP Server

    Add following to /usr/share/vyos/templates/dhcp-server/kea-dhcp4.conf.j2, node under .Dhcp4

        "loggers": [
      {
        "name": "kea-dhcp4",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.dhcpsrv",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-dhcpsrv.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.leases",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-leases.log",
            "maxver": 10
          }
        ]
      }
    ],

    Restart VyOS configd

    systemctl restart vyos-configd

    Update config in configure mode.

    View files under /var/log/kea

  • 北京联通猫棒 IPTV

    故事背景:家里拉了很多年的千兆,这两年才从 FTTB 换成 FTTH。但是之前买的千兆套餐不送 IPTV 了,而光改的时候,联通的工作人员帮我改了桥接,但是所有口都绑定了 Internet。现在开通IPTV需要初装费,还要月费,所以我就没开通。本来是不想折腾的,因为实在没空,但是被催了好久猫棒的事情,所以就临时下了个单,花了一天做了些实验。

    (more…)